CVE-2011-3583 — SQL Injection in Typo3

CWE-89 — SQL Injection4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.4%

top 39.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Typo3 Typo3 CMS Typo3 Core

Timeline

PublishedNov 26

Latest updateApr 22

Description

It was found that Typo3 Core versions 4.5.0 - 4.5.5 uses prepared statements that, if the parameter values are not properly replaced, could lead to a SQL Injection vulnerability. This issue can only be exploited if two or more parameters are bound to the query and at least two come from user input.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5typo3_core/typo3_core4.5.0 - 4.5.5

▶Packagisttypo3/cms4.5.0 — 4.5.5

▶NVDtypo3/typo34.5.0 — 4.5.5

🔴Vulnerability Details

OSV

Typo3 SQL injection due to faulty prepared statements↗2022-04-22

▶

GHSA

Typo3 SQL injection due to faulty prepared statements↗2022-04-22

▶

CVEList

CVE-2011-3583: It was found that Typo3 Core versions 4↗2019-11-25

▶